What businesses can learn from the Marriott data breach

Discovery of a data breach affecting up to 500 million Marriott International customers has exposed the hotel chain to the risk of eye-watering financial penalties – and raised questions about its security measures.

This incident should be a wakeup call for all businesses because it highlights the need to implement and audit technical and organisational security measures as part of a complete and ongoing data protection programme, and the role of M&A due diligence in data security.

Reports indicate that Marriott was alerted to an attempted breach of its Starwood guest reservation database on 8 September 2018. On further investigation, it discovered unauthorised access has been ongoing since 2014 – two years before Marriott acquired the Starwood business.

An estimated 327 million Marriott Starwood customers have had their personal information compromised, making this the largest data breach seen since the introduction of new data protection legislation in Europe and the UK this year.

Data protection and the law

In the UK, protecting customers’ personal data is a legal obligation for companies. The General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, which came into force this year, increased the focus on accountability for companies handling personal data.

The GDPR defines a data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.' Companies have a duty to implement appropriate technical and organisational measures to ensure security of personal data. This is an ongoing obligation – GDPR compliance requires regular monitoring and updating of systems and software.

The huge scale of the unauthorised access to Marriott’s database is unquestionably a serious data breach. What makes this breach so significant is the failure of the security measures and the length of time the data was left unprotected.

What happens next?

For Marriott, the immediate focus will be on informing the affected customers – as is their duty under the GDPR.

It is likely that the Information Commissioner’s Office (ICO) will begin investigating the breach to determine what steps to take. GDPR penalties are significant – the hotel group could face a fine of up to €20m (£17.8m) or 4% of its annual turnover – whichever is higher. Despite Marriott’s breach being unintentional, the inadequacy of its technical security measures coupled with the four-year duration of the breach will likely be aggravating factors.

Regulatory fines could just be the tip of the iceberg. Marriott will also potentially face class action lawsuits for compensation from impacted customers. In the US, Marriott is apparently already facing compensation claims. The UK courts recently found liability against Morrisons in a class action brought by 5,000 employees whose personal data was intentionally leaked by a disgruntled employee acting without authorisation.

What can other businesses learn?

That the breach was ongoing two years prior to Marriott’s acquisition of Starwood throws the spotlight on the role of M&A due diligence in data security, particularly in light of new data protection legislation. That Marriott has inherited liability for Starwood’s breach sends a clear message to other businesses. Data protection due diligence is a crucial part of any M&A transaction – systems and processes should be rigorously tested and interrogated.

Crucially, though, this case demonstrates the importance of incorporating regular monitoring and testing into an ongoing data protection compliance programme. Recording the results of those security audits will also help in defending against any future actions by regulators or class action litigants.

Complacency is not an option under new data protection legislation – as Marriott has been unfortunate enough to find out.

Brian Craig is a legal director at UK law firm TLT and leads the firm's data privacy and protection team. Ellen Browne is a trainee solicitor in the team.

This article first appeared in The Caterer.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.